Field of the Invention
This invention relates generally to the field of computer systems. More particularly, the invention relates to a system and method for implementing a trusted dynamic launch and trusted platform module (TPM) using secure enclaves.
Description of the Related Art
The assignee of the present patent application has designed a trusted computing platform known as Trusted Execution Technology (“TXT”) within some microprocessors and respective chipsets to provide computer users and computer system providers with a higher level of trust and control over computer systems. Currently, TXT is employed as a way to defend against software-based attacks aimed at accessing sensitive information. Although often used as a security technology, TXT may also be used to enable development of more advanced, tamper-resistant forms of digital rights management (DRM) and can be used to achieve vendor lock-in for hardware platforms.
Current TXT implementations consist of a set of hardware enhancements allowing the creation of multiple separated execution environments, sometimes referred to as “partitions.” One particular hardware component used with current TXT implementations is known as the Trusted Platform Module (TPM), which provides secure key generation and storage, as well as authenticated access to data encrypted by generated keys. The private key stored in the TPM is generally not available to the owner of the computer system, and never leaves the TPM chip under normal operation. The TPM that manages Trusted Platform requests generates keys and certificates for private environments (e.g., applications or service spaces) and manages the machine trust state to allow, for example, a local user (or even a remote party) to check the security on a workstation with a higher level of confidence using the Remote Attestation Protocol.
As illustrated in FIG. 1, a TPM module 100 includes an I/O port 120 for receiving TPM commands from the execution environment, processing the commands and communicating the results over a system bus (typically a low pin count (LPC) bus). An execution engine 104 executes program code 107 in response to the TPM commands and utilizes a variety of different TPM components to perform the necessary operations including a secure hash algorithm 1 (SHA-1) component 109 for performing SHA-1 hash operations; a random number generator 110 for generating random numbers; an attestation identify key (AIK) component 111 for securely establishing that a remote entity is communicating with the TPM; an RSA engine 105 for implementing RSA encryption and digital signatures; and a key generation module 106 for generating keys.
The TPM is an “opt-in” device meaning that the platform owner must take specific steps to turn the TPM on. An opt-in module 108 securely stores the platform owner's selection of the state of the TPM.
In addition, a non-volatile memory 101 and a volatile memory 102 are provided to store long term and temporary values, respectively, while executing TPM commands. Finally, a set of platform control registers (PCRs) are provided to keep track of measurements reported to the TPM. The PC Client Spec (TCG 2005a) specification requires a minimum of 24 PCRs. Reading and writing to a PCR requires specific TPM ordinals. When an entity needs to store a measurement in the TPM, the TPM provides an assurance that no other entity can change the measured value by not allowing any entity to write directly to the TPM. Rather, the entity “extends” the specified PCR. The extend operation concatenates the current PCR value with the new value and performs an SHA-1 hash on the concatenated value. The resulting hash value is the new PC value. A detailed description of the TPM can be found, for example, in David Grawrock, The Intel Safer Computing Initiative, Building Blocks for Trusted Computing, Intel Press (2006) (hereinafter “Grawrock”) at 119-142, and in the PC Client Spec referenced above.
For effective security it is important to know what causes the launch of a protected partition. Consequently, the CPU protection modes must receive proper initialization. To this end, current TXT implementations use Safer Mode Extensions (SMX) and Virtual Mode Extensions (VMX) and controls them through the CPU commands GETSEC [SENTER] and GETSEC [SEXIT]. A detailed description of these commands can be found in Grawrock at pages 185-212. Briefly, GETSEC is the CPU instruction that implements SMX extensions. The GETSEC [SENTER] operation provides for the creation of a secure partition during runtime, without the need to reboot the computer system. The GETSEC [SEXIT] instruction is then used to ensure the complete removal of all CPU state associated with the protected partition.
Currently, a dedicated TPM chip is required to implement a TXT environment as described above. As such, TXT implementations are not typically used on small form-factor, low cost computing platforms. Thus, to reduce the cost and complexity associated with TXT implementations, it would be beneficial to provide a solution which does not require a dedicated TPM chip.